1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tutorial: How to set up suEXEC in Apache

How to set up suEXEC in Apache

  1. sbagmeijer
    Since I no longer use Apache for anything this guide is probably outdated please keep that in mind.

    Here is a little example of how to setup suEXEC in Apache, feel free to comment and help make it better.
    If you see something wrong then please not just post only what is wrong but try and explain it so everyone is able to learn from it.

    In this guide I will use the user name "etherus" and the group name "ulyaoth" please change this on your machine to your needs. The ip that I will use in this example is "" this should be changed to the ip address you are going to use, and as last I used throughout this example the name "ulyaoth" as the website and directory name of course this should be changed to something that will fit for your situation.

    This guide was tested and created on Fedora 20.

    What is Suexec
    Apache suEXEC is a feature of the Apache Web server. It allows users to run CGI and SSI applications as a different user - normally, all web server processes run as the default web server user (often wwwrun, apache or nobody). The suEXEC feature consists of a module for the web server and a binary executable which acts as a wrapper.

    If a client requests a CGI and suEXEC is activated, it will call the suEXEC binary which then wraps the CGI scripts and executes it under the user account of the server process (virtual host) defined in the virtual host directive.

    More information can be found at the following websites:
    suEXEC 2.4 Documentation
    suEXEC 2.2 Documentation
    suEXEC 1.3 Documentation
    suEXEC wikipedia

    Before you start you will have to prepare a few things such as you will need to create a user name and a separate group name for every website you plan to add.

    Step 1: Create the group "ulyaoth"
    $ groupadd ulyaoth
    Step 2: Create the user "etherus"
    $ useradd -s /sbin/nologin etherus
    Step 3: Set a password for the user "etherus"
    $ passwd etherus
    Step 4: Add the user "etherus" into the group "ulyaoth"
    $ useradd -g etherus ulyaoth
    This is a very basic user/group creation, and there should be plenty of better examples on google or any other search engine.

    Now that we have created the user and placed him in the correct group it is time to create the directories we will need for our website. I will use the standard "www" directory in Fedora for this example however you will not have to do this you are able to create a separate partition and create all the directories there.

    Step 5: Create the directory "ulyaoth" inside "/var/www"
    $ mkdir -p /var/www/ulyaoth
    Step 6: Create the directory "logs" inside "/var/www/ulyaoth/" (This will contain the log files that your website will generates)
    $ mkdir -p /var/www/ulyaoth/logs
    Step 7: Create the directory "www" inside "/var/www/ulyaoth" (This will contain the directories of your website)
    $ mkdir -p /var/www/ulyaoth/www
    Step 8: Create the directory "html" inside "/var/www/ulyaoth/www" (This will contain the files for your website)
    $ mkdir -p /var/www/ulyaoth/www/html
    Step 9: Create the directory "cgi-bin" inside "/var/www/ulyaoth/www" (This will contain any scripts your website will use)
    $ mkdir -p /var/www/ulyaoth/www/cgi-bin
    This should be all the directories you will need to have to run a website, all that is left now is to change the permission and user/group on those folders.

    Step 10: Change the user and group that own the directory "ulyaoth" and all the subdirectories
    $ chown -R etherus:ulyaoth /var/www/ulyaoth
    Step 11: Change the permission on the ulyaoth directory to 664 and add +x.
    $ chmod 664 /var/www/ulyaoth
    $ chmod +x /var/www/ulyaoth
    Step 12: Change the permission on the logs directory to 664.
    $ chmod 664 /var/www/ulyaoth/logs
    Step 13: Change the permission on the www directory to 664 and add +x.
    $ chmod 664 /var/www/ulyaoth/www
    $ chmod +x /var/www/ulyaoth/www
    Step 14: Change the permission on the cgi-bin directory to 775 and add +x.
    $ chmod 755 /var/www/ulyaoth/www/cgi-bin
    $ chmod +x /var/www/ulyaoth/www/cgi-bin
    Step 15: Change the permission on the html directory to 664 and add +x.
    $ chmod 664 /var/www/ulyaoth/www/html
    $ chmod +x /var/www/ulyaoth/www/html
    Now that we have prepared everything on the server to accept suEXEC all that is left is editing our httpd.conf so please open this file and add the following into it.

    Step 16: Add the code below to your vhost.conf and change everything to your needs.
    <VirtualHost *:80>
    ServerName Ulyaoth
    DocumentRoot /var/www/html
    DirectoryIndex index.html index.html index.shtml index.php
    SuexecUserGroup etherus ulyaoth
    ServerAdmin webmaster@ulyaoth.asia
    ServerName ulyaoth.asia
    ServerAlias www.ulyaoth.asia
    DocumentRoot /var/www/ulyaoth/www/html
    ErrorLog /var/www/ulyaoth/logs/error_log
    CustomLog /var/www/ulyaoth/logs/access_log common
    DirectoryIndex index.html index.htm index.shtml index.php
    ScriptAlias /cgi-bin/ /var/www/ulyaoth/www/cgi-bin/
    <Location /cgi-bin>
    AllowOverride none
    Order allow,deny
    Allow from all
    Options +execCGI
    AddHandler cgi-script .cgi .pl
    Now restart your Apache and you have your website running in suEXEC.

    If you run Selinux then errors may arise you probably will have to execute the following commands:
    $ chcon -R -t httpd_sys_script_exec_t /var/www/ulyaoth/www/cgi-bin
    $ chcon -R -t httpd_log_t /var/www/ulyaoth/logs
    $ setsebool -P httpd_enable_cgi=1
    $ setsebool -P httpd_can_network_connect=1
    $ semanage fcontext -a -t httpd_sys_content_t "/var/www/ulyaoth/www/html(/.*)?"
    If you do not have semanage installed you can run the following command on a yum based Linux distro:
    $ yum -y install policycoreutils-python
    This guide may contain many errors and mistakes, I just did this for learning purpose and sharing this with everyone so maybe someone else is able to learn from it.

    Again if I did make mistakes or you know how to do something better that you can point this out by adding a reply, I will then update the topic so we all are able to learn from it.